Ethereum could afford a 51% attack on Bitcoin, and profit greatly from it

[mjdamgaard]

now lets again ask you to do the math using jsut a small headstart
a 51% of honest network(2% advantage) is not enough hashpower to race against the honest network that is minimum 6confirm ahead
work out using math how many blocks it would take before the dishonest network can overtake the honest network

hint if just 6 confirm lead. the dishonest network with a 10% advantage(55% network) would need atleast ~44 blocks just to re-org a block that was initially just 6 blocks behind honest pools when the attack was initiated* and would need over 55 to be then 1 block ahead of the honest pools

* this is just a 6 block re-wind/re-org timeframe with a 10% lead(55% of network)
https://talkimg.com/images/2024/08/06/5vDxP.png

the more blocks a malicious pool need to go back. the more speed blocks it would require to build on from its edited block to then catch up
so if the service had a next day-72 hour goods/fiat delivery time.. the networks catchup time would be multiple factors longer to catch up

what you also find out is during those missing time blocks of dishonest catch-up time. there may be some miners working on that dishonest pool seeing that although it aided in building XX+ blocks for its pool for the pool manager to double spend pool managers funds. the miners are not seeing their attempted blocks ID and previous block ID visibly on the honest network YET, thus think they are running on some altcoin, so they would want to protect their investment, would jump to a honest pool whos blocks are visible

again the dishonest pool wont show results instantly. but would take time to get ahead of honest network to have results seen and the more blocks it has to go back the longer it takes to catch up to show results

run the math

With 55% of the hash power, it will take, let's do some math: 55% × (6 blocks/hour) × t > 45% × (6 blocks/hour) × t + 6 blocks  <=>  t × (6 blocks/hour) × (55% - 45%) > 6 blocks  <=>  t > 6 blocks / (6 blocks/hour × 10%) = 10 hours.

In an earlier reply, you agreed that a 51% attack from Ethereum could last for several months in principle. (And in fact, if they go absolutely all in on the attack, then it could even be many years, at least in theory, as mentioned in my preprint.)

[...]
but you would only be able to do this effectively if you when spending first, received goods or services or another currency to keep that value. to then reverse the transaction to then spend the transaction amount again to double your value.
if you deposited funds into an exchange. and then bought ethereum again. but didnt withdraw it and just had it as exchange database balance. if you reversed your btc deposit tx. the exchange can just change its database balance of the eth to not give you the eth.. you would have needed to withdraw the eth to then not allow the service to react.

this means spending alot first(significant amount worthy of doing a re-org), waiting for the service to accept the amount is settled(significant amount would be 6confirms+), release their goods/service/other currency to you, wait for you to deem that other value type as received and then edit the blockchain to double spend the initial transaction amount to then be edited out the blockchain

this is not something you can do within just a couple blocks of the honest network.

meaning honest network then gets a blockheight headstart of 7 blocks ahead of dishonest pool, which then have to build on to catch up*
this 7 block difference takes time for the dishonest pool to catch up
(reality is if an exchange service does fiat withdrawal from your initial btc deposit you are not only waiting 6 confirms for the deposited to be accepted but then waiting for X time(can be 72hours(432 blocks)) for the fiat to clear your bank on withdrawal request)
(reality is if you buy goods with your initial btc spend, you have to wait for delivery of goods which would be alteast next day(144blocks))

When analyzing a 51% attack, is it normally assumed that attackers need to trade the stolen bitcoin for other goods/services/currency due to the fact that the value of BTC might crash as a consequence. Is this why you say that they would need to trade to other goods/services/currency?

If so, note that in a Goldfinger attack, i.e. when the attackers believe that any loss of bitcoin due to a crash in its value will be covered by gains due to their reverse stake, then they don't need to trade their stolen bitcoin immediately (in fact, it would probably be better not to, for legal reasons; better white-wash them first by transferring them around between different wallets).

[franky1]

now lets again ask you to do the math using jsut a small headstart
a 51% of honest network(2% advantage) is not enough hashpower to race against the honest network that is minimum 6confirm ahead
work out using math how many blocks it would take before the dishonest network can overtake the honest network

hint if just 6 confirm lead. the dishonest network with a 10% advantage(55% network) would need atleast ~44 blocks just to re-org a block that was initially just 6 blocks behind honest pools when the attack was initiated* and would need over 55 to be then 1 block ahead of the honest pools

* this is just a 6 block re-wind/re-org timeframe with a 10% lead(55% of network)


the more blocks a malicious pool need to go back. the more speed blocks it would require to build on from its edited block to then catch up
so if the service had a next day-72 hour goods/fiat delivery time.. the networks catchup time would be multiple factors longer to catch up

what you also find out is during those missing time blocks of dishonest catch-up time. there may be some miners working on that dishonest pool seeing that although it aided in building XX+ blocks for its pool for the pool manager to double spend pool managers funds. the miners are not seeing their attempted blocks ID and previous block ID visibly on the honest network YET, thus think they are running on some altcoin, so they would want to protect their investment, would jump to a honest pool whos blocks are visible

again the dishonest pool wont show results instantly. but would take time to get ahead of honest network to have results seen and the more blocks it has to go back the longer it takes to catch up to show results

run the math

With 55% of the hash power, it will take, let's do some math: 55% × (6 blocks/hour) × t > 45% × (6 blocks/hour) × t + 6 blocks  <=>  t × (6 blocks/hour) × (55% - 45%) > 6 blocks  <=>  t > 6 blocks / (6 blocks/hour × 10%) = 10 hours.

In an earlier reply, you agreed that a 51% attack from Ethereum could last for several months in principle. (And in fact, if they go absolutely all in on the attack, then it could even be many years, at least in theory, as mentioned in my preprint.)

when doing an attack to re-org the blockchain to double spend your funds. each attempt is not going to happen in minutes. i was explaining that you first need to spend the funds and get goods or things of value in  another form to then want to reset the network and remove the transactions existance to then spend it again. this will take not minutes but hours.

like i said if you want to attack the network to get double spend value of any significance services already delay things like deposits and withdrawals via things like X confirm wait or 72hour for bank withdrawals or 1 day to deliver packages. so you have to wait more then 6 blocks before resetting the tx/block

i used a 6 block min as a minimum for simple math.
but if you wanted to sell coin for fiat where its $1m involved you would have to wait 72 hours (432 blocks) and then go back 432 blocks and start from that point and then move forward.. which to then move forward and catch up would be like a 432*9 factor(3888)

by which time those participating in mining these unseen 3887 blocks before they match the honest network. those participating wont see those blocks on the network and would be more then likely prefer to jump away from the malicious pool because for 3887 blocks unseen also means not getting any rewards and also the honest network can still beat the dishonest network where the honest network may not get ahead for many other mitigating reasons.

yes the malicious pool after like 4000 blocks can then do it again. and for months respend a respend of a respend by keep repeating it for years. but again those participating unless they are seeing profits can simply jump to a honest pool in SECONDS

so while you think its a guarantee that a malicious pool with have endless power more then honest pools. what you dont realise is when the dishonest group are persuaded in the dishonest task to raid their eth stake, and buy bitcoin hardware, are more so pursuaded once invested in bitcoin to become honest, due to the lack of ongoing sat rewards per block because they are only getting possible returns of investment rarely and only if the malicious pool achieves the goal

a malicious pool wont reset the network transactions just to respend a coffee cup amount when it involves the risks of the honest network doing counter activities and also where it costs hundreds of thousands per block to do an attack which over 50-4000 blocks adds up to alot that the malicious pool would have needed to initially spend and receive goods from before trying to reset to then spend again to break even per attempt

so unless they are initially buying lambo's/mansions and ensuring the car/house is registered.. or they get $Xm's fiat in bank accounts that cant be cancelled/refunded/returned.. its not worth doing a double spend attack as its not as cheap as you think per attack
..
as for doing it to just win every block or every 2nd block to then spend the block rewards. again if you want to crash the market as a pool manager, you will find your asic workers you incited to be on your pool may want to get ROI on their hardware and instead want to save the network by jumping to honest pools now they are invested in bitcoin hardware and also help the market

..
also you lastly say white wash coins by moving them to different wallets(facepalm)
if you are re-orging blocks then any attempt to move funds gets undone when you the reset the blocks that moved the coins..
you cant just hoard coins and delete transactions because(let this sink in) the transactions is where the coins are.. they are not stored separately in wallets

your wallet does not store coins... your wallet just stores the signing key
if your resetting the transactions your resetting which addresses have the coins

[d5000]

I suggest that Bitcoin might switch to PoS.

As I wrote in my last post mitigation strategies for 51% attacks were already discussed, like the switch of the mining algorithm. In 2017, for example this was discussed as a last resort action against Asicboost, even if this wasn't really a 51% threat but an efficiency improvement with a patented technology many Bitcoiners rejected. This would stop the attack and leave the attackers with worthless hardware, so it would also influence negatively the incentives to carry out the attack. It would harm the original miners, but a change to PoS would have an even worse effect, as they wouldn't even be able to re-use their installations with other hardware (staying in the Bitcoin business).

Bitcoin could even improve with this move, e.g. switching to a then more modern hashing algorithm.

The attackers, of course, can try to prevent (e.g. investing in botnets for a "second-line" attack too) but the costs would increase drastically.

So my proposed mitigation strategy would be:

1) General measure against any 50+% attack: Leave the door open for a change in the mining algorithm. Don't concentrate on a single algorithm like Scrypt, making it more difficult for any attacker to prepare for this event. Perhaps even maintain a fork of Bitcoin code with several other algorithms, so the switch can happen rapidly.

2) Specific measure against a "rival blockchain attack": Identify a third blockchain directly competing with the attack blockchain (in the case of Ethereum being the attack chain, for example Solana, Cardano or Avalanche). So those invested both in the attacked and the attacker blockchain can dump their stakes on the attacker blockchain buying the third chain's coins, reducing the attacker blockchain's value and increasing the third blockchain's value. The third blockchain's whales will very likely not participate in the attack, because they will benefit much more if the attack blockchain crashes and they can get the market share.

3) Extreme last resort: I would not be against just preparing the ground for a fork with PoS (e.g. with a proof of concept or even a testnet "what could happen" if PoW really fails), which would be never enacted. But the possibility alone should disincentive any attack based on supposed specific PoW vulnerabilities. If #1 is a standard nuclear bomb (can be employed in rare cases like Hiroshima/Nagasaki), this would be the H bomb (will never be used but it's advantageous to have it).

[mjdamgaard]

you went too literal about the word milks to talk about it a consumable rather then realise i was talking about any product has a real production cost and a separate retail price

Oh, I've asked about clarification on this point earlier. Do you mind? Are you really saying that miners are able to sell their minted bitcoin at a higher price than the "retail" market price? Or perhaps the other way around: that the miners are only able to sell it at a lower price than the "retailers," similar to most other real-world cases, like the milk example?

im saying if production cost of most efficient asics is $48k/btc COST..  only those at $48k+ would sell at $48k+ to break even/profit. no one likes to sell at a loss

those with higher costs would just retain coin and wait for the market to rise before selling
this causes a lack of supply on the market

also those with coin from say 2012 ($6/btc cost) may have sold to someone else in 2017 at $20k, where that buyer of that coin has a now $20k min break even so wont sell for $6 even if that coins origins had a mining cost initially of $6.. if then the guy that bought the $6 mined coin for $20k then sells that coin to someone else in 2021  ATH for $70k. the new buyer sets their break even at $70k so wont be selling their stash for under $70k
thus although the coin mined in 2012 had a mining cost of just $6 it has a current break even cost of $70k thus wont be on the market when the market price is $50k.. and would be retaining the coin off the market and wait for the market to reach their desired amount..
so again less supply willing to sell at <$50k

i for instance am one of the rare ones with coins still held from 20212($6/btc). however im not ready to sell and no i wont be interested in selling at <$50k even if my initial cost was just $6/btc..
those that do panic about markets more than likely already have sold and as such the new buyer sets the new break even amount

when you look at the mining costs and the coin acquisition costs of coin movements (realised value) you start to build a picture of how much coin is supporting certain price levels

if people are willing to sell at a loss. they probably already have. EG those that bought at $70k in 2021 and panicing in the 2022 $15k price range. if stupid enough to sell at a loss. they already have. meaning the new buyer at $15k+ in 2022+ may have more control of emotion to not sell at a loss.
which reciprocally they would sell at profit only in the $15k-$75k range of 2022-2024. where the next buyer then sets their break even above the $15k range. again strengthening the periodic bottoms of 2023-2024 of $25k- ~$50k

and no..its not about the market being $50k today and people are finding ways to sell coin today for $70k-$300k. its about people setting limits of break even to decide to sell now at $50k today OR hold onto coin because its not yet time to sell, they wait for the market to rise to sell when the market price is right

if people have no intention to sell in the 2024 period of $50k-$70k they wont put their coin into the market, they obviously want to wait for more then $75k before selling so are just holding onto coin and not putting it on the market

then you have to look at the other side of the market.. when there are regions of the planet where it costs $300k to mine (they assess cost before actually investing) they see its not worth mining at $300k a coin and would happily buy coin at $50k+ from the market. which also supports the market and the underlying value because they know chances of getting coin via any market for less is extremely thin, because even trying to get coin via OTC hidden markets of the most efficient mining pools will still have those efficient miners not wanting to sell below $50k today

I don't know if this sub-discussion is worth pursuing for much longer, unless you are actually claiming that Bitcoin doesn't need to fear a vulnerability because the value will never drop below a certain value. Is this really so?

In case truly you are claiming this, let me give a small example that will hopefully convince you that your theory is not applicable here (nor in many other cases):

Suppose that I am a car factory that produces 1000 cars at a cost of $50,000 apiece, and suppose then that it turns out that there is, say, a security flaw (faulty steering or whatever) that almost kills the demand for the car, and that people do not want to buy the cars for more than, say, $20,000. Then I can't just wait for the demand to magically increase to allow me to sell them for >$50,000 at some point. Instead I will be forced to sell them at $20,000.

The theory that you are using implicitly assumes that there is a static demand for bitcoin; that people have a need to collect them. But as User @d5000 also points out, there isn't.

You are also explicitly assuming that 'the miners can just wait for the market price to rise again.' This is simply false. If the value of Bitcoin was as sure to rise again as you claim, then EVERYONE would buy bitcoin. No. If the demand for bitcoin drops, the price drops with it (since the supply is steady, at least in periods between Bitcoin Halving dates).

[mjdamgaard]

also you lastly say white wash coins by moving them to different wallets(facepalm)
if you are re-orging blocks then any attempt to move funds gets undone when you the reset the blocks that moved the coins..
you cant just hoard coins and delete transactions because(let this sink in) the transactions is where the coins are.. they are not stored separately in wallets

your wallet does not store coins... your wallet just stores the signing key
if your resetting the transactions your resetting which addresses have the coins

I was talking about transfers after the attack. I thought that this was quite obvious, but apparently it wasn't, sorry.

[mjdamgaard]

by which time those participating in mining these unseen 3887 blocks before they match the honest network. those participating wont see those blocks on the network and would be more then likely prefer to jump away from the malicious pool because for 3887 blocks unseen also means not getting any rewards and also the honest network can still beat the dishonest network where the honest network may not get ahead for many other mitigating reasons.

yes the malicious pool after like 4000 blocks can then do it again. and for months respend a respend of a respend by keep repeating it for years. but again those participating unless they are seeing profits can simply jump to a honest pool in SECONDS

so while you think its a guarantee that a malicious pool with have endless power more then honest pools. what you dont realise is when the dishonest group are persuaded in the dishonest task to raid their eth stake, and buy bitcoin hardware, are more so pursuaded once invested in bitcoin to become honest, due to the lack of ongoing sat rewards per block because they are only getting possible returns of investment rarely and only if the malicious pool achieves the goal

You seem to assume here again, at least during these few paragraphs, that the attackers try to steal a larger share of the newly minted coins (as miners). This is not their objective. Their objective is to steal a lot more than that via trades that they then rewrite afterwards, keeping only their ingoing transactions. (And their ultimate objective is actually to cause a crash of the cryptocurrency, assuming that this is what will happen.)

Think of it as the Key and Peele sketch that User @HeRetiK mentioned above, but instead of their "plot" being to earn a salary, their plot is rather to sabotage the bank from within, causing it to crash, and then get a much greater reward from a competitor.

As a side note, if we dive deeper into this metaphor, then the competitor probably wouldn't try this in real life if it can be traced back to them. This has also been a point that we have discussed a little in this discussion thread: Would the Ethereum stakeholders not ruin their reputation if they did this to Bitcoin? I think it is worth noting here, however, that the attack will in theory only require a fraction of the stakeholders to make it profitable for them, and they can reward the attack anonymously, as I point out in my preprint. So it will be almost impossible to prosecute, first of all, and the majority of the Ethereum community might even be seen as innocent.

This is assuming that the Ethereum community wants to be seen as innocent. But with enough campaign money, and enough time, both of which they have, I personally think that they will be able to convince a large part of the public that a switch to PoS is better; both for security, for reduced operational costs, which the users and investors ultimately have to pay, and not least for the planet, which is a topic that seems to generally be efficient in swaying a large part of the public.

[mjdamgaard]

when doing an attack to re-org the blockchain to double spend your funds. each attempt is not going to happen in minutes. i was explaining that you first need to spend the funds and get goods or things of value in  another form to then want to reset the network and remove the transactions existance to then spend it again. this will take not minutes but hours.

like i said if you want to attack the network to get double spend value of any significance services already delay things like deposits and withdrawals via things like X confirm wait or 72hour for bank withdrawals or 1 day to deliver packages. so you have to wait more then 6 blocks before resetting the tx/block

[...]

so unless they are initially buying lambo's/mansions and ensuring the car/house is registered.. or they get $Xm's fiat in bank accounts that cant be cancelled/refunded/returned.. its not worth doing a double spend attack as its not as cheap as you think per attack

I think that out of all our ongoing discussions, @franky1, this is currently the most interesting: Can the attackers actually steal enough bitcoin that they will be able to make a profit, given that the value of Bitcoin does not crash?

Let me start by pointing out that the daily transactions is currently around $15B. The daily mining rewards (greater than the costs) are only ~0.13% of this, currently. So the attackers would need to account for only ~0.13% of the trade in the time leading up to an attack. And again, since they are rewarded in case of a crash (which is the whole point of this Goldfinger attack), they do not need to keep the USD, or whatever they are trading the bitcoin for (although they could simply trade bitcoin for bitcoin or tokens, at least in principle). They can rather spend the USD immediately to make new trades, then repeat.

[franky1]

You seem to assume here again, at least during these few paragraphs, that the attackers try to steal a larger share of the newly minted coins (as miners). This is not their objective. Their objective is to steal a lot more than that via trades that they then rewrite afterwards, keeping only their ingoing transactions. (And their ultimate objective is actually to cause a crash of the cryptocurrency, assuming that this is what will happen.)

if they keep only their own tx. they cant do double spends..
remember they can only double spend their own value they control so if they are not reversing their own transactions then they cant double spend
also by reversing other peoples transactions they cant then take control of other peoples. because the malicious side does not have the key to sign the fund of other people. so in no way can a malicious side steal funds by reversing other peoples transactions.
emphasis a double spend is only able to happen by the malicious side reversing its own transaction and then re-spending their own value

to which i explained to achieve that the people in the attack need to convert their btc to goods/services/other currency. receive those goods/services/other currency in a settled final manner.. and THEN they can undo the blocks containing the transactions they want to reverse knowing they already have the value settled in another form(goods/fiat/altcoin). to then know when the btc transaction is reversed they can then respend the btc again to a different recipient.. to double spend that same btc

[...]
but you would only be able to do this effectively if you when spending first, received goods or services or another currency to keep that value. to then reverse the transaction to then spend the transaction amount again to double your value.

When analyzing a 51% attack, is it normally assumed that attackers need to trade the stolen bitcoin for other goods/services/currency due to the fact that the value of BTC might crash as a consequence. Is this why you say that they would need to trade to other goods/services/currency?

its not about "crashing" its about the method to double spend btc successfully via block re-orgs

you keep avoiding one point by presenting another point to attempt to evade running scenarios to find out your first point falls flat. you have done this many times now.. evaded one scenario by trying to play dumb and try to raise another scenario to then evade that scenario by taking it in context of another scenario

so lets make it clear

if your only scenario result you want is a market crash attempt, lets fully delve into that scenario
firstly when adding another 50% of network hashrate. it means the honest network has double the competition. AND EMPHASIS: half as much reward and double the cost of mining due to higher difficulty due to the competition..
this pushes up the basic value:premium window which then causes all those assessing the acquisition methods of btc to then have a higher speculative price expectation which means all those wanting btc would be more willing to buy higher and the sellers wont sell for less but instead only willing to sell for more.. this would cause the market to go UP

as for you saying about re-orging blocks to then mess with the market to crash it.
to be successful with that when the malicious pools deposits coin into an exchange. it has to wait for the exchange to deem the funds are settled with them (6 confirms for any significant amount deposited) the malicious users would then have to waste their deposit balance on orders to force a crash. and then remove the other currency to then re-org the blockchain to undo the deposit. so they can then do it again
however exchanges will notice these tactics of re-using a utxo thats was previously spent, and just block/ban users thus avoiding users abusing their balance database and market orders
also as said to do this, they cant just respend the same utxo every block by doing re-orgs every block. as i explained they would need to go through a process of delaying a 51% blockchain attack by ~50-4000 blocks to play each round out to then re-do it again.. by which time even the invited people to the malicious pool whom bought into bitcoin hardware will see the negative affects actually hurt their investment and they can within seconds jump to honest pools. where by it takes a malicious pool multiple hours/days per attack round

however in a ethereum attack the custodian of stake can manipulate blocks whereby the stakers wont counter it, because the stakers funds are at risk(the penalty) and the stakers cant simply jump to a honest custodian in seconds because it takes a day to de-stake. so the risk of a dishonest custodian on ethereum is far more harmful to ethereum users than a bitcoin attack is to bitcoin

if you want to delve dep into a blockchain attack to effect a CEX market you really need to learn the difference between the blockchain transactions which are not the market price orders vs the CEX balance and market order databases which are not the blockchain
then run scenarios on whats actually involved in doing an attack and how things operate

dont just side step things simply because it doesnt appease you hopes that people simply dont say ethereum is king
instead learn the mitigating factors of reality and realise bitcoin has alot more strengths than ethereum does

like i said if you are attempting to re-org the blockchain in a 51% attack to double spend funds to continually crash the market. you need to learn how the delay of the confirms. the length of "catch up" time and also the mitigating factors a CEX can put inplace in regards to its balance and market order database and services decisions all are factors
its very easy for a CEX to keep a log of the UTXO's being spend as deposits. and then ban users that try re-using the same UTXO even in a block -reorg situation

aswell as if those now highly invested in bitcoin hardware wont want to lose their investment. they would soon realise that being malicious harms themselves more, they would quickly jump away from the malicious pool and join the honest side to protect their own value now invested in bitcoin
...

Suppose that I am a car factory that produces 1000 cars at a cost of $50,000 apiece, and suppose then that it turns out that there is, say, a security flaw (faulty steering or whatever) that almost kills the demand for the car, and that people do not want to buy the cars for more than, say, $20,000. Then I can't just wait for the demand to magically increase to allow me to sell them for >$50,000 at some point. Instead I will be forced to sell them at $20,000.

heres where you go wrong
if there is a real world physical limit of material cost across the globe that the cheapest new car on the planet can be built for is $50k in q3 of 2024
it doesnt matter that people prefer to want a new car for $20k.. they wont get it. car dealerships wont sell a car at $30k less than material cost.. thats just bad business
what you find is that there is across the globe a different material cost of manufacturing cars of $50k-$300k dependant on region and so if there is a low demand for new cars or where people want to pay the least possible.. the MARKET price will be around the $60k-$75k for most of the period and occassionally try to test the bottom of $50k where only those in the special regions willing to sell AT COST of lowest COST are still selling
when demand rises then the price can go premium upto $300k

yes if no one buys any cars, then the manufacturing gets affected and slowsdown(hashrate drop) where the material cost could go down due to less demands of materials(less asics) thus the cost can go down, which could then cause the dealership(market) bottom to go down. but this is a lengthy process in of itself

but there would need to be some fatal flaw that stops all trades and causes manufacturing to drop its material cost competition

[tiCeR]

Great posts here and there are some more variables that must be considered. Hash rate fluctuation! Bitmain aims at producing around 50,000 to 100,000 ASICS per month. I am not going through all the devices and provide the numbers for $/TH, but this is an overview I think suffices to sum things up.



It seems as if it were easy mathematics to find out how many miners someone needs for a potentially successful 51% attack, but in reality there are fluctuations of over 60%.



How many miners is an attacker going to order and how long will the consortium of attackers wait? How are they going to stay anonymous when they make the biggest order of ASICS in human kind history? How will that go undetected and not allow the Bitcoin dev team to respond to the inbound attack? What interest does Bitmain have to produce enough ASICS such that an entity can destroy their most important customer network - aka bitcoin? What would Bitmain say if someone walks in and says they need 1.1 mil. miners (S21 Hydro only)? A hash rate spike could destroy the plans and the attackers either need to wait (which they most likely can't afford because the message will be out) or they need to order more miners.

It was also said that 50,000 to 100,000 is ambitious and this refers to all models across the board. I have now taken the fastest ASIC in my example. The attack would cost around $8 billion in hardware only. While someone might argue that the cost would go down due to requested large scale production, you could as well argue that the cost will go up because ASICS involve rare resources and in this case demand might actually drive the price up.

It is not feasible in my opinion. The logistics would be unbelievable. How would it even be set up? Where? Pools are called pools because they pool hash rate from all around the world and demand for electricity is distributed. In this scenario an attacker would have to set up the whole infrastructure in one hidden place. How would sufficient electricity be provided? How long would it take to set up the operation and what is the chance by the time it is set up that the miners aren't getting closer to obsoletion and more miners would be needed to make up for increased efficiency in newer devices?

[buwaytress]

Can't really add anything so belatedly, franky1's response, while not exactly the scenario I had in mind, describes just how complex it would be to even mount such an attack. The preparation, the sheer breadth of collusion -- word would get out before they could put the resources in place, and the moral Ethereum devs and nodes would ensure a quick abortion.

But yes -- even if they succeeded, as many people have already considered (I remember Antonoupoulos describing the aftermath of a potential attack very well many years ago) -- a reorganisation would undo the attack. Remember, success isn't one single 51% attack to create an altcoin. Success means also convincing everyone else the altcoin is the one everyone would follow. Colussion also involves conversion.

Economically non-feasible is vastly underestimated.

[mjdamgaard]

Your hypothesis that a smaller coins' stakeholders could profit if a bigger competitor is successfully attacked, is based on the assumption that the cryptocurrency market works like a market of goods (say: apples) where sales are the figure to analyze. This means: there is a "static" necessity creating a demand, which is fulfilled by several competitors with a certain market share, and if one of them sells less, then the others normally sell more.

The crypto market however doesn't behaved like that historically. The "competitors" are often dependant one from another (one crashes, the others crash too, or vice versa). And there are also other products outside the crypto space (gold, stocks, bonds, "speculative assets" in general) partially covering the same demand. This means that while a "market" exists, if one competitor loses market cap, other coins in most cases do not benefit directly from that. Instead there is a very complex interdependence with dependencies to the outside world (e.g. vs the bonds market via the interest rate). And the market for strange reasons in some years contracts 70% and then again expands 500% ...

You would have to find cases in the real world where a similarly complex market exists and then such a predatory attack was successful, to support your claim.

Let's continue speculating in this direction. Imagine a ETH->BTC attack occurs. How can you prevent that people flee in extreme numbers from the whole crypto space because trust has been eroded, and instead invest again in what they have invested until Bitcoin appeared in 2009? Then Bitcoin, Ethereum and most other coins would crash.

It's a good point. I personally think that this is one of the strongest arguments against the possibility of a "Rival Goldfinger attack," especially if you also the point that a part of the public might take Bitcoin's side, being the victim of the attack, and think negatively about Ethereum.

To the latter point, it is worth noting, however, that an attack might only require a fraction of the stakeholders of Ethereum. And they can potentially do it anonymously, as I point out in my preprint. So a majority of the stakeholders might look to have their hands clean. Furthermore, as I also said in a recent reply:

This is assuming that the Ethereum community wants to be seen as innocent. But with enough campaign money, and enough time, both of which they have, I personally think that they will be able to convince a large part of the public that a switch to PoS is better; both for security, for reduced operational costs, which the users and investors ultimately have to pay, and not least for the planet, which is a topic that seems to generally be efficient in swaying a large part of the public.

Now, to your point about the price of Bitcoin and Ethereum being correlated, you are first of all right that they are. And you mention that this is because they partially cover the same demand. People compare investing in crypto to other markets, like how they are comparing investing in precious metal to other markets. But this doesn't mean that if, say, gold all of a sudden loses its value/demand (imagine that all gold turned radioactive all of a sudden, or something like that), then silver wouldn't increase in value. No, it likely would.

And similarly if Bitcoin was out of the picture, investors would turn to some of other options whenever the choose to invest in crypto.

Also, regarding the trust in crypto, if only PoW has this vulnerability, then as long as investors are aware of this, there's no real reason why they couldn't still trust PoS blockchains (assuming that they already do).

[mjdamgaard]

So my proposed mitigation strategy would be:

1) General measure against any 50+% attack: Leave the door open for a change in the mining algorithm. Don't concentrate on a single algorithm like Scrypt, making it more difficult for any attacker to prepare for this event. Perhaps even maintain a fork of Bitcoin code with several other algorithms, so the switch can happen rapidly.

2) Specific measure against a "rival blockchain attack": Identify a third blockchain directly competing with the attack blockchain (in the case of Ethereum being the attack chain, for example Solana, Cardano or Avalanche). So those invested both in the attacked and the attacker blockchain can dump their stakes on the attacker blockchain buying the third chain's coins, reducing the attacker blockchain's value and increasing the third blockchain's value. The third blockchain's whales will very likely not participate in the attack, because they will benefit much more if the attack blockchain crashes and they can get the market share.

3) Extreme last resort: I would not be against just preparing the ground for a fork with PoS (e.g. with a proof of concept or even a testnet "what could happen" if PoW really fails), which would be never enacted. But the possibility alone should disincentive any attack based on supposed specific PoW vulnerabilities. If #1 is a standard nuclear bomb (can be employed in rare cases like Hiroshima/Nagasaki), this would be the H bomb (will never be used but it's advantageous to have it).

I like these points a lot.

I find your second point particularly interesting; that's a very creative idea. If the Bitcoin investors can truly identify who's behind the attack, then they can in principle choose, if there's enough cohesion, to just migrate to a third coin, rather than to the attacking one (Ethereum most likely). I think you're right.

And you are also absolutely right about your third point; this might very well help deter an attack.

[mjdamgaard]

You seem to assume here again, at least during these few paragraphs, that the attackers try to steal a larger share of the newly minted coins (as miners). This is not their objective. Their objective is to steal a lot more than that via trades that they then rewrite afterwards, keeping only their ingoing transactions. (And their ultimate objective is actually to cause a crash of the cryptocurrency, assuming that this is what will happen.)

if they keep only their own tx. they cant do double spends..
remember they can only double spend their own value they control so if they are not reversing their own transactions then they cant double spend
also by reversing other peoples transactions they cant then take control of other peoples. because the malicious side does not have the key to sign the fund of other people. so in no way can a malicious side steal funds by reversing other peoples transactions.
emphasis a double spend is only able to happen by the malicious side reversing its own transaction and then re-spending their own value

to which i explained to achieve that the people in the attack need to convert their btc to goods/services/other currency. receive those goods/services/other currency in a settled final manner.. and THEN they can undo the blocks containing the transactions they want to reverse knowing they already have the value settled in another form(goods/fiat/altcoin). to then know when the btc transaction is reversed they can then respend the btc again to a different recipient.. to double spend that same btc

[...]

as for you saying about re-orging blocks to then mess with the market to crash it.
to be successful with that when the malicious pools deposits coin into an exchange. it has to wait for the exchange to deem the funds are settled with them (6 confirms for any significant amount deposited) the malicious users would then have to waste their deposit balance on orders to force a crash. and then remove the other currency to then re-org the blockchain to undo the deposit. so they can then do it again
however exchanges will notice these tactics of re-using a utxo thats was previously spent, and just block/ban users thus avoiding users abusing their balance database and market orders
also as said to do this, they cant just respend the same utxo every block by doing re-orgs every block. as i explained they would need to go through a process of delaying a 51% blockchain attack by ~50-4000 blocks to play each round out to then re-do it again.. by which time even the invited people to the malicious pool whom bought into bitcoin hardware will see the negative affects actually hurt their investment and they can within seconds jump to honest pools. where by it takes a malicious pool multiple hours/days per attack round

however in a ethereum attack the custodian of stake can manipulate blocks whereby the stakers wont counter it, because the stakers funds are at risk(the penalty) and the stakers cant simply jump to a honest custodian in seconds because it takes a day to de-stake. so the risk of a dishonest custodian on ethereum is far more harmful to ethereum users than a bitcoin attack is to bitcoin

if you want to delve dep into a blockchain attack to effect a CEX market you really need to learn the difference between the blockchain transactions which are not the market price orders vs the CEX balance and market order databases which are not the blockchain
then run scenarios on whats actually involved in doing an attack and how things operate

dont just side step things simply because it doesnt appease you hopes that people simply dont say ethereum is king
instead learn the mitigating factors of reality and realise bitcoin has alot more strengths than ethereum does

like i said if you are attempting to re-org the blockchain in a 51% attack to double spend funds to continually crash the market. you need to learn how the delay of the confirms. the length of "catch up" time and also the mitigating factors a CEX can put inplace in regards to its balance and market order database and services decisions all are factors
its very easy for a CEX to keep a log of the UTXO's being spend as deposits. and then ban users that try re-using the same UTXO even in a block -reorg situation

You seem to assume here that the 51%-attackers needs to make only one replay per reorg. But in fact they can make several replays per reorg:
Suppose Alice trades 1 bitcoin with Bob for some tokens or some USD, then trades that for "another" bitcoin from Claire (meaning that Claire's ownership of the coin isn't dependent on the first transaction with Bob), then trades that bitcoin away again to Doris, then buys "another" bitcoin from Eric. And suppose that Alice is then able to rewrite this recent part of the ledger afterwards. Then Alice can keep the transactions with Claire and Eric, i.e. where a bitcoin is transferred to a wallet of Alice's, but replace the transactions with Bob and Doris with two other transactions where the bitcoins are instead transferred to two other wallets of Alice's. At the end of this, she will have 3 bitcoin in 3 separate wallets: the one she started with and the ones from Claire and Eric.

And she could in principle have kept repeating this process (before rewriting the ledger) as many times as she can find traders whose ownership over the traded bitcoin isn't dependent on earlier trades with herself (i.e. she can only replay each single bitcoin once).

Now turn this example into Alice instead being a great number of people, who are backed by billions of dollars in total to do this attack.

And furthermore consider the fact that it is typical to see around $15B being traded each day. (And again, you agreed that Ethereum investors could in theory afford an attack lasting for several months, once they've paid the CapEx.)

And like I've said: the confirmation period unfortunately cannot be changed retrospectively, at least not with pure PoW.

[mjdamgaard]

you keep avoiding one point by presenting another point to attempt to evade running scenarios to find out your first point falls flat. you have done this many times now.. evaded one scenario by trying to play dumb and try to raise another scenario to then evade that scenario by taking it in context of another scenario

so lets make it clear

if your only scenario result you want is a market crash attempt, lets fully delve into that scenario
firstly when adding another 50% of network hashrate. it means the honest network has double the competition. AND EMPHASIS: half as much reward and double the cost of mining due to higher difficulty due to the competition..
this pushes up the basic value:premium window which then causes all those assessing the acquisition methods of btc to then have a higher speculative price expectation which means all those wanting btc would be more willing to buy higher and the sellers wont sell for less but instead only willing to sell for more.. this would cause the market to go UP

[...]

Suppose that I am a car factory that produces 1000 cars at a cost of $50,000 apiece, and suppose then that it turns out that there is, say, a security flaw (faulty steering or whatever) that almost kills the demand for the car, and that people do not want to buy the cars for more than, say, $20,000. Then I can't just wait for the demand to magically increase to allow me to sell them for >$50,000 at some point. Instead I will be forced to sell them at $20,000.

It's not fair of you at all to say that I'm evading this economic discussion of the supposed lower threshold when we have discussed this very topic for quite a while now, and you are even quoting my latest reply in this discussion in your very same post. (!) How on earth is that fair even one bit?

I've been very keen to try to answer all your points, and I'm not trying to evade them. If you at any point that you feel like I've skipped one of your arguments, please just point that out (e.g. by posting that I've missed that point and just quote yourself), and I will answer it.

Suppose that I am a car factory that produces 1000 cars at a cost of $50,000 apiece, and suppose then that it turns out that there is, say, a security flaw (faulty steering or whatever) that almost kills the demand for the car, and that people do not want to buy the cars for more than, say, $20,000. Then I can't just wait for the demand to magically increase to allow me to sell them for >$50,000 at some point. Instead I will be forced to sell them at $20,000.

heres where you go wrong
if there is a real world physical limit of material cost across the globe that the cheapest new car on the planet can be built for is $50k in q3 of 2024
it doesnt matter that people prefer to want a new car for $20k.. they wont get it. car dealerships wont sell a car at $30k less than material cost.. thats just bad business
what you find is that there is across the globe a different material cost of manufacturing cars of $50k-$300k dependant on region and so if there is a low demand for new cars or where people want to pay the least possible.. the MARKET price will be around the $60k-$75k for most of the period and occassionally try to test the bottom of $50k where only those in the special regions willing to sell AT COST of lowest COST are still selling
when demand rises then the price can go premium upto $300k

yes if no one buys any cars, then the manufacturing gets affected and slowsdown(hashrate drop) where the material cost could go down due to less demands of materials(less asics) thus the cost can go down, which could then cause the dealership(market) bottom to go down. but this is a lengthy process in of itself

but there would need to be some fatal flaw that stops all trades and causes manufacturing to drop its material cost competition

Well, this is exactly what we are talking about in this topic: If it turns out that Bitcoin has a fatal or near-fatal flaw that makes it vulnerable to a particular kind of 51% attack, then its price will drop severely.

Maybe I went to low with the prices in my example, so to really underline the point, imagine instead that the cars cost $190k to make, and it turns out that their motors have a risk of exploding, or something like that.

If it turns out that there is an attack vector on Bitcoin where attackers can keep stealing money and profiting as long as its price doesn't crash, then Bitcoin will crash (i.e. unless the attack vector is mitigated). You have to agree with this, don't you?

(And if you do, then we don't really need to discuss this specific topic anymore in relation to the overall topic of this thread, even if we still disagree on some points: We could do that in another thread.)

[franky1]

Well, this is exactly what we are talking about in this topic: If it turns out that Bitcoin has a fatal or near-fatal flaw that makes it vulnerable to a particular kind of 51% attack, then its price will drop severely.

Maybe I went to low with the prices in my example, so to really underline the point, imagine instead that the cars cost $190k to make, and it turns out that their motors have a risk of exploding, or something like that.

If it turns out that there is an attack vector on Bitcoin where attackers can keep stealing money and profiting as long as its price doesn't crash, then Bitcoin will crash (i.e. unless the attack vector is mitigated). You have to agree with this, don't you?

(And if you do, then we don't really need to discuss this specific topic anymore in relation to the overall topic of this thread, even if we still disagree on some points: We could do that in another thread.)

lets get serious about your analogies
if cars cost right now $50k-$300k to build, due to underlying material cost
by having another car manufacturer join creates competition and takes away some material meaning the material cost increases

yep just the increase of hashrate alone due to ethereum users switching to mine bitcoin will cause the underlying cost value:premium to increase
this then makes the retail/dealer sell cars publicly for more

yes if there was a fatal flaw that explodes engines or makes miners defunct to cause hashrate to drop. then yes this can also cause the underlying value to drop and thus the market price to go down when the public stop demanding bitcoin

however a ethereum group cant change the network just by having control of blocks. they still have to obide by the design of the network, if they tried to design a new algo that had a flaw. they would just create a new altcoin. and it would be that altcoin that fails(explodes)

bitcoin has had 15 years of safety checks of the main safety features, heck even satoshi himself left a p2pk address with some bitcoin on it that is in a re-used address thus leaving some data leakage of keys. and no one has been able to steal satoshis coins from the known address he send coins to hal and sent coins back as change

so trying to imply that a ethereum group can steal other peoples coins is a sign you have not researched bitcoin nor its risk mitigations and instead you just want to keep dreaming scenarios hoping someone will kiss you and tell you ethereum will be king,. becasue you evade actually going deep into wanting to truly know about bitcoin security and features that protect it. you instead change your attack scenario to try to pretend there is another way to do it

you need to realise in the many many months pre-atack the ethereum group shift over to bitcoin they would work as honest miners whilst they wait for leadership announcement. and then even when ethereum leadership announce an attack date. the result would be that the attackers would be working on a blocklist that is not visible to the honest network for multiple blocks and is not guaranteed to take over the honest network and pursist
also the attempt to re-spend old confirmed funds would only be worthy if the value involved was significant, to which services would log which funds are being undone and mitigate the user re-spending those funds

there are many mitigating circumstances and features and economics at play, even things like a pool needs to have their block visible and unorphaned for 100blocks before they can spend the rewards. however the honest network can reject the malicious pools blocks by simply not accepting the blocks that dont have the previous hashID of the blockheight
EG
if malicious pool started a (backward 1 block re-org) attack at block 850,000(editing 849999) but only got to catch up at block 850,070,
(meaning honest networks hash ID chain of 849,999->850,070 wont match the malicious pools hash chain of 849,999-850,070)
the block 850,071 that gets ahead and is published to the network from malicious pool wont have the 'previous hash id' of the honest networks version of 850,070 so the honest network would reject the malicious pools 850,071

[mjdamgaard]

Great posts here and there are some more variables that must be considered. Hash rate fluctuation! Bitmain aims at producing around 50,000 to 100,000 ASICS per month. I am not going through all the devices and provide the numbers for $/TH, but this is an overview I think suffices to sum things up.

https://talkimg.com/images/2024/08/07/5VfsD.png

It seems as if it were easy mathematics to find out how many miners someone needs for a potentially successful 51% attack, but in reality there are fluctuations of over 60%.

https://talkimg.com/images/2024/08/07/5Vy9f.png

How many miners is an attacker going to order and how long will the consortium of attackers wait? How are they going to stay anonymous when they make the biggest order of ASICS in human kind history? How will that go undetected and not allow the Bitcoin dev team to respond to the inbound attack? What interest does Bitmain have to produce enough ASICS such that an entity can destroy their most important customer network - aka bitcoin? What would Bitmain say if someone walks in and says they need 1.1 mil. miners (S21 Hydro only)? A hash rate spike could destroy the plans and the attackers either need to wait (which they most likely can't afford because the message will be out) or they need to order more miners.

It was also said that 50,000 to 100,000 is ambitious and this refers to all models across the board. I have now taken the fastest ASIC in my example. The attack would cost around $8 billion in hardware only. While someone might argue that the cost would go down due to requested large scale production, you could as well argue that the cost will go up because ASICS involve rare resources and in this case demand might actually drive the price up.

It is not feasible in my opinion. The logistics would be unbelievable. How would it even be set up? Where? Pools are called pools because they pool hash rate from all around the world and demand for electricity is distributed. In this scenario an attacker would have to set up the whole infrastructure in one hidden place. How would sufficient electricity be provided? How long would it take to set up the operation and what is the chance by the time it is set up that the miners aren't getting closer to obsoletion and more miners would be needed to make up for increased efficiency in newer devices?

Thank you, and thanks for your post.

You are right that all that would probably be infeasible, especially when you are assuming that the miners have to be anonymous.

But first of all, in order for the Bitcoin devs to respond, they need to find a way to respond. They can't exclude the attacking miners, so it seems that they would have to hard-fork to PoS, or something to that effect. (There is currently a discussion about what steps they could take to mitigate an attack on this thread.)

The also don't have to fear being discovered for legal reasons, it seems, since they are not doing anything legal in the lead-up to the attack, and not in carrying out the attack itself, arguably (see the discussion above about this topic).

Now, they might not want to reveal their intentions to their suppliers, as you point out. That is a good point. But at the end of the day, how can the suppliers really know what their buyers are up to and/or who they sell their ASICs to? Will they really make their customers sign a contract not to participate in a 51% attack, and would that even work?

Also, let me just quickly point out again, that the Ethereum stakeholders can buy/bribe existing mining farms. This proposition has apparently been dismissed so far in this discussion thread, almost as if 'honest' is a predicate that "sticks" to you as a miner, which seems odd to me, especially when the whole concept behind PoW blockchains is that the miners 'behave selfishly.'

[mjdamgaard]

Can't really add anything so belatedly, franky1's response, while not exactly the scenario I had in mind, describes just how complex it would be to even mount such an attack. The preparation, the sheer breadth of collusion -- word would get out before they could put the resources in place, and the moral Ethereum devs and nodes would ensure a quick abortion.

I'm not sure that the Ethereum devs would necessarily try to prevent something which might force Bitcoin to switch to PoS. And even if a majority of them will want to abort/revert an attack, doing so will undermine Ethereum's own purpose, since Ethereum has no agreed-upon obligation to save Bitcoin in case of an attack. So even though they could abort/revert a smart contract rewarding a Goldfinger attack if a majority of the stakeholders also agree (otherwise the devs are powerless), unless they are required to do so by law, it would undermine the freedom of Ethereum.

Furthermore, since the non-participating stakeholders also stands to potentially grow their assets by perhaps as much as 100% or more, it's hard to imagine that they would actively vote for a soft fork/hard fork preventing this.

[mjdamgaard]

But yes -- even if they succeeded, as many people have already considered (I remember Antonoupoulos describing the aftermath of a potential attack very well many years ago) -- a reorganisation would undo the attack. Remember, success isn't one single 51% attack to create an altcoin. Success means also convincing everyone else the altcoin is the one everyone would follow. Colussion also involves conversion.

2) Specific measure against a "rival blockchain attack": Identify a third blockchain directly competing with the attack blockchain (in the case of Ethereum being the attack chain, for example Solana, Cardano or Avalanche). So those invested both in the attacked and the attacker blockchain can dump their stakes on the attacker blockchain buying the third chain's coins, reducing the attacker blockchain's value and increasing the third blockchain's value. The third blockchain's whales will very likely not participate in the attack, because they will benefit much more if the attack blockchain crashes and they can get the market share.

Now that I've thought about it, I think it might be dangerous for Bitcoin investors to switch to a third PoS coin (fully or partially) as a solution. The danger is that if they are not extremely coordinated, the first investors to buy the third altcoin might get them for cheap whereas the last ones to move will have to pay a lot more BTC for them. This could cause a great shift in the wealth between the individual Bitcoin investors.

It would probably be much better to them create a brand new PoS coin and simply copy all the wallets and balances from Bitcoin to that one. Note that this is similar to making a PoS hard fork of Bitcoin in practice. Afterward the investors can trade the new coin in order to establish its value compared to Bitcoin (the PoW version) via the normal market forces.

What do you think of that?

[mjdamgaard]

yes if there was a fatal flaw that explodes engines or makes miners defunct to cause hashrate to drop. then yes this can also cause the underlying value to drop and thus the market price to go down when the public stop demanding bitcoin

Good, at least we agree on that, then.

however a ethereum group cant change the network just by having control of blocks. they still have to obide by the design of the network, if they tried to design a new algo that had a flaw. they would just create a new altcoin. and it would be that altcoin that fails(explodes)

We are not talking about them changing the algorithm. We are talking about replay attacks (steals).

bitcoin has had 15 years of safety checks of the main safety features, heck even satoshi himself left a p2pk address with some bitcoin on it that is in a re-used address thus leaving some data leakage of keys. and no one has been able to steal satoshis coins from the known address he send coins to hal and sent coins back as change

so trying to imply that a ethereum group can steal other peoples coins is a sign you have not researched bitcoin nor its risk mitigations [...]

This is simply false. It is not only widely accepted that replay attacks can happen (as long as the attacker has the money/power to do it), but they have also happened in reality to smaller PoW coins.

Somebody else, please back me up on this.

you need to realise in the many many months pre-atack the ethereum group shift over to bitcoin they would work as honest miners whilst they wait for leadership announcement. and then even when ethereum leadership announce an attack date. the result would be that the attackers would be working on a blocklist that is not visible to the honest network for multiple blocks and is not guaranteed to take over the honest network and pursist
also the attempt to re-spend old confirmed funds would only be worthy if the value involved was significant, to which services would log which funds are being undone and mitigate the user re-spending those funds

Here you are ignoring/not considering this earlier reply:

[...] But in fact they can make several replays per reorg:
Suppose Alice trades 1 bitcoin with Bob for some tokens or some USD, then trades that for "another" bitcoin from Claire (meaning that Claire's ownership of the coin isn't dependent on the first transaction with Bob), then trades that bitcoin away again to Doris, then buys "another" bitcoin from Eric. And suppose that Alice is then able to rewrite this recent part of the ledger afterwards. Then Alice can keep the transactions with Claire and Eric, i.e. where a bitcoin is transferred to a wallet of Alice's, but replace the transactions with Bob and Doris with two other transactions where the bitcoins are instead transferred to two other wallets of Alice's. At the end of this, she will have 3 bitcoin in 3 separate wallets: the one she started with and the ones from Claire and Eric.

And she could in principle have kept repeating this process (before rewriting the ledger) as many times as she can find traders whose ownership over the traded bitcoin isn't dependent on earlier trades with herself (i.e. she can only replay each single bitcoin once).

Now turn this example into Alice instead being a great number of people, who are backed by billions of dollars in total to do this attack.

And furthermore consider the fact that it is typical to see around $15B being traded each day. (And again, you agreed that Ethereum investors could in theory afford an attack lasting for several months, once they've paid the CapEx.)

And like I've said: the confirmation period unfortunately cannot be changed retrospectively, at least not with pure PoW.

And you are ignoring/not considering my earlier point that when the attackers profit from (or believe that they are profiting from) a crash, they don't have an incentive to keep any other assets/products, but can keep their stolen bitcoin after the attack. (It's a win-win: Either Bitcoin keeps its value, and they get rich, or it crashes, which is what their benefactors are trying to reward.)

there are many mitigating circumstances and features and economics at play, even things like a pool needs to have their block visible and unorphaned for 100blocks before they can spend the rewards. however the honest network can reject the malicious pools blocks by simply not accepting the blocks that dont have the previous hashID of the blockheight
EG
if malicious pool started a (backward 1 block re-org) attack at block 850,000(editing 849999) but only got to catch up at block 850,070,
(meaning honest networks hash ID chain of 849,999->850,070 wont match the malicious pools hash chain of 849,999-850,070)
the block 850,071 that gets ahead and is published to the network from malicious pool wont have the 'previous hash id' of the honest networks version of 850,070 so the honest network would reject the malicious pools 850,071

This idea goes against the principles of PoW. [deleted]
Edit: That is not to say that this idea couldn't work, but you have to agree that it would be a departure from pure PoW?

[franky1]

Here you are ignoring/not considering this earlier reply:

[...] But in fact they can make several replays per reorg:
Suppose Alice trades 1 bitcoin with Bob for some tokens or some USD, then trades that for "another" bitcoin from Claire (meaning that Claire's ownership of the coin isn't dependent on the first transaction with Bob), then trades that bitcoin away again to Doris, then buys "another" bitcoin from Eric. And suppose that Alice is then able to rewrite this recent part of the ledger afterwards. Then Alice can keep the transactions with Claire and Eric, i.e. where a bitcoin is transferred to a wallet of Alice's, but replace the transactions with Bob and Doris with two other transactions where the bitcoins are instead transferred to two other wallets of Alice's. At the end of this, she will have 3 bitcoin in 3 separate wallets: the one she started with and the ones from Claire and Eric.

And she could in principle have kept repeating this process (before rewriting the ledger) as many times as she can find traders whose ownership over the traded bitcoin isn't dependent on earlier trades with herself (i.e. she can only replay each single bitcoin once).

Now turn this example into Alice instead being a great number of people, who are backed by billions of dollars in total to do this attack.

And furthermore consider the fact that it is typical to see around $15B being traded each day. (And again, you agreed that Ethereum investors could in theory afford an attack lasting for several months, once they've paid the CapEx.)

And like I've said: the confirmation period unfortunately cannot be changed retrospectively, at least not with pure PoW.

And you are ignoring/not considering my earlier point that when the attackers profit from (or believe that they are profiting from) a crash, they don't have an incentive to keep any other assets/products, but can keep their stolen bitcoin after the attack. (It's a win-win: Either bitcoin keeps its value, and they get rich, or it crashes, which is what their benefactors is trying to reward.)

i did address it
i already said the mitigating factors YOU missed
EG before alice trades with bob on the market, alices deposit goes into an exchange (so i presume you are calling the exchange bob) and needs X confirms (significant amount is usually 6confirms)

so the exchange(bob) would then have the coin
now alice then exchanges the usd in another exchange for more bitcoin
but that involves moving stablecoin of usd to a different exchange(claire) so that your held value is safe from not being drawn back by bob(no longer in bobs exchange database balance)
this again means waiting time for funds to clear for clair to then trade
repeat a couple times with a few more exchanges(doris, eric)

and then you want to re-org a old block where you deposited with bob(exchange) to make that A->B transaction disappear

well you are now going to have to go backward many many blocks. re-do that block. and then have to catch up with the network again and over take it and hope the other nodes accept your new list
even with a 10% advantage(55% attack) and only re-winding 6 blocks, it would take like ~50 blocks to catch up
so play out your time frame to just do a bob, claire, doris, eric trades.. and realise you would then need to go back a heck of alot more blocks and edit the block containing the alice-bob trade

so run the scenario and do the math

..
also you state the $1.5B traded each day
you can rewind a block and that makes YOUR transaction ge undone so you can re-spend YOUR funds to a different destination.. but yo dont have the keys for the other users transactions to change their destinations to you. you cant steal other peoples funds so you cant control the other $1.5b transactions
like i said if you wanted to perform an attack then you need to run the scenario out properly and consider the mitigting circumstances and whats actually going to happen based on real things, not the fantasy results you made up and hope people will agree with

if you made a transaction where you deposited $1b and traded it for USD and then withdrew it via wire transfer, you would have to wait 72 hours atleast for the banks to clear it meaning a minimum re-wind time of ~450 blocks and the a catchup and over-take time of THOUSANDS of blocks